Weekly Threat Briefing: US Postal Service Left 60 Million Users Data Exposed For Over a Year

November 27, 2018 | Anomali Labs

The intelligence in this week’s iteration discuss the following threats: Cannon Trojan, Keyloggers, Lazarus Group, L0rdix, Mirai, OceanLotus, Sofacy and Zebrocy. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Trending Threats

The Rotexy Mobile Trojan – Banker and Ransomware (November 22, 2018)
The mobile banking trojan, “Rotexy,” has been observed to be active between August 2018 until October 2018, targeting users in Russia, according to researchers from Kaspersky Labs. The campaign conducted over 70,000 attacks against mobile devices utilising three different command sources: Google Cloud Messaging (GCM) service, a malicious Command and Control (C2) server, and incoming text messages. This most recent version of Rotexy functions as both a banking trojan and a ransomware on the infected device. The trojan is spread through links in phishing text messages that request the target to install a particular application. If clicked upon and installed, it requests device administrator privileges and begins communication with the threat actor’s C2. The most recent version of the malware will first check to see if it is running in a virtual machine (VM) and what country IP location the device is in. If the malware infects device out of Russia or is in a VM, the fake application will display an error message and not run. If it successfully infects a Russian device, it registers with GCM and ensures it consistently maintains administrator privileges on the device. Rotexy will then display a fake HTML update page that immobilises the device screen for a while. It will then display a ransom page that states the desired ransom amount. It will redirect the user to a phishing page that appears to be a banking page where they are prompted to enter in their banking card details.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link (T1192)

Malware Scum Want to Build a Linux Botnet Using Mirai (November 22, 2018)
Matthew Bing from Netscout disclosed that a threat actor has been observed creating a new Mirai botnet variant that targets Linux servers. This is the first non-Internet-of-Things (IoT) Mirai botnet seen in the wild. The botnet creators have exploited a vulnerability in Hadoop YARN to propagate the bot. This variant only targets Linux servers on x86 machines, but still attempts to brute force factory default usernames and passwords via telnet to obtain access. If the bot gained access to the server, instead of installing malware, it would send the target’s IP address, password, and username to the threat actor’s Command and Control (C2) server. The reason for this is currently unclear.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Brute Force (T1110)

US Postal Service Left 60 Million Users Data Exposed For Over a Year (November 22, 2018)
The United States Postal Service (USPS) announced that they had suffered a data breach that affected over 60 million customers who had accounts on their official website. The breach occurred due to an authentication issue on the USPS’ application programming interface (API) for the "Informed Visibility" programme. The API programme was designed to help businesses track mail in real-time. The API was able to accept any search parameter, so anyone logged into the site could send a search request for account details of any other users. This means personal information such as account numbers, authorised users, email addresses, mailing campaign data, phone numbers, street addresses, user IDs, and usernames for over 60 million customers was publicly accessible. According to the unnamed researcher who discovered the breach, they had notified the USPS about the vulnerability last year in 2017, but the USPS did not correct the issue until mid-November 2018, after a journalist contacted them regarding the data breach.Click here for Anomali recommendation

L0RDIX: Multipurpose Attack Tool (November 21, 2018)
Ben Hunter, a researcher from enSilo, discovered a new multipurpose malware dubbed “L0rdix” that targets Windows-based machines to steal credentials and mine for cryptocurrency. The tool uses several checks to evade Virtual Machine (VM) environments and sandboxes. L0rdix contains five main embedded modules that can be executed depending on the intended goal and functionality the threat actors utilising it wants. The malware obtains information regarding the machine, once successfully infecting it, such as antivirus tools on the machine, current user privileges, disk hardware device ID, operating system product name, Graphics Controller Model, and RAM availability. Once obtaining that information, L0rdix will send that information to the Command and Control (C2) server, who will then respond with a JSON file containing parameters for the malware. These parameters will determine whether the tool should mine for cryptocurrency (the type of cryptocurrency is specified by the C2 based on the information is gains earlier on the machine) or steal credentials. L0rdix is available for threat actors to purchase in underground/black market forums.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Process Hollowing (T1093) | [MITRE ATT&CK] Obfuscated Files or Information (T1027) | [MITRE ATT&CK] Scheduled Task (T1053)

TrickBot’s Bigger Bag of Tricks (November 21, 2018)
The popular banking trojan, Trickbot, has been observed to have added more features that steal users’ credentials, specifically targeting Point-of-Sales (PoS) services, according to researchers at Trend Micro. The new module added to the malware, “psfin32,” is modified to specifically identify PoS related terms in the domain and accounts. Once Trickbot has obtained the information it was looking for, it will extract it and store it to a pre-configured “Log” file to then send to the Command and Control (C2) server via a POST connection. It is highly likely that the threat actors leveraging this malware are intending to use it during the holiday seasons to increase the range of machines it can infect to obtain banking and payment information.Click here for Anomali recommendation

Adobe Plugs Critical RCE Flash Player Flaw, Update ASAP! Exploitation May be Imminent (November 21, 2018)
Adobe has released a patch for a critical flaw in FlashPlayer, registered as “CVE-2018-15981” that could allow for remote code execution. This vulnerability affects Flash Player versions 31.0.0.148 and earlier on Windows, macOS, Linux, and Chrome operating systems. It affects the interpreter code of the Action Script Virtual Machine (AVM) where it does not rest a with-scope pointer when an exception is discovered which causes confusion in the system. A patch has been released for this flaw.Click here for Anomali recommendation

Gmail Glitch Enables Anonymous Messages in Phishing Attacks (November 20, 2018)
A vulnerability in Google’s Gmail has been uncovered that could allow a threat actor to leave the “sender” display blank which would allow an email to be sent from “anonymous.” Software developer, Tim Cotten, discovered that Gmail’s User Experience (UX) designs allows the “from” field of an email to be forged by inputting the intended person’s name with a large and arbitrary tag, resulting in the email being from “anonymous” with a blank “from” field. This flaw could allow for threat actors to take advantage of the anonymity and exploit that for phishing attacks. Google has been notified of the problem, but has yet to fix it.Click here for Anomali recommendation

Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America (November 20, 2018)
Lazarus group, a prominent Advanced Persistent Threat (APT) group from the Democratic People’s Republic of Korea (DPRK) has been observed to be recently installing backdoors into the systems of financial institutions in Latin America. Trend Micro researchers noticed that the backdoor called “Msadoz.dll” had been successfully installed into the machines of financial institutions around September 19, 2018. This backdoor had two additional components that were installed alongside the backdoor. The “AuditCred.dll/ROptimizer.dll” is a loader Dynamic Link Library (DLL) that is launched as a service which triggers the installation of the backdoor. The “Auditcred.dll.mui/rOptimizer.dll.mui” configuration file is loaded after the main backdoor is installed onto the machine which extracts the Command and Control (C2) server information and connects to it. This backdoor poses a significant threat to the victim as it is capable of a wide variety of things such as: collect files/folder/drive information, delete files, download files and additional malware, inject code from files to other running processes, launch/terminate/enumerate process, open reverse shell, update configuration data, utilise as a proxy. The backdoor is also able to run in passive mode, meaning that instead of actively connecting to the C2 server, the backdoor will open and listen to a port then receive commands through it.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Execution through Module Load (T1129) | [MITRE ATT&CK] Data Encrypted (T1022)

OceanLotus: New Watering Hole Attack in Southeast Asia (November 20, 2018)
Researchers from ESET recently discovered a new watering hole campaign conducted by Advanced Persistent Threat (APT) group “OceanLotus” (also known as APT32 and APT-C-00). This campaign has been observed to target sites in Southeast Asia, particularly Cambodian and Vietnamese sites. At least 21 sites have been compromised including sites for the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs, the International Cooperation of Cambodia, as well as Vietnamese newspapers and blogs. The compromised websites contain a small bit of JavaScript code in either the index page or within a JavaScript file hosted on the same server that loads another script of the APT group’s that begins the process to eventually fingerprint the visiting user. Interestingly, this malicious JavaScript code only runs if the site visitor is from Vietnam or Cambodia, which suggests that those two countries are the intended targets. To evade detection, the malicious script is obfuscated to prevent static analysis. The URL typosquats as a legitimate JavaScript library used by the site. The script varies for every compromised website, and each compromised website uses a different domain and URI. It is unclear at the time of this article’s publication what the final payload being dropped is.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Trusted Relationship (T1199) | [MITRE ATT&CK] Scripting (T1064)

For Apple Users Without Latest Security Updates, the Letter 'd' is Not Always the Letter 'd' (November 20, 2018)
Apple users who have not installed the most recent Apple updates to their devices are vulnerable to an innovative typosquatting tactic, dubbed “IDN homograph attack.” These attacks target a vulnerability in the Safari browser that makes the extended Latin Unicode “dum” (ꝱ) appear as a normal lowercase “d” in the domain. Threat actors have been observed purchasing typosquatted domains that contain the “ꝱ” knowing that Apple users with an out-of-date device will not recognise the change, and will likely fall vulnerable to this phishing attack. The risk to The attack surface is quite large as the top 10,000 domains contain the letter “d” and have the potential to be typosquatted by threat actors.Click here for Anomali recommendation

Business Email Compromise Scam Costs Pathé $21.5 Million (November 20, 2018)
European-based cinema company, Pathé, is reported to have lost over $21.5 million USD (approximately €19 million) from a Business Email Compromise (BEC) that occurred in March 2018. The scam allegedly ran for approximately a month. This campaign targeted both the company’s CEO and CFO in the Netherlands pretending to be the heads of the French office. The scam emails stated that the head office in France was attempting to acquire a foreign organisation in Dubai and that it was to be strictly confidential to avoid competitors finding out. The CEO and CFO wired approximately €800,000 initially and continued to send money, even whilst on vacation. Following the legitimate head office discovering the scam, both the CEO and CFO were fired due to not noticing the “red flags.”Click here for Anomali recommendation

VisionDirect Blindsided by Magecart in Data Breach (November 19, 2018)
UK-based optical lens site, VisionDirect, announced that they suffered a data breach that compromised customers’ personal and bank details. The breach disclosure stated that the incident occurred between November 3 through 8, 2018. Only information entered or updated in the system during those days were compromised, so existing customers who were not active at all between the 3rd and 8th, are unaffected. The information compromised includes addresses, card numbers, CVVs, email addresses, expiration dates of cards, names, passwords, and telephone numbers. Independent security researchers discovered that a JavaScript keylogger was injected into the VisionDirect’s website, so it is highly suspected the threat group, MageCart, is behind this.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Scripting (T1064)

Unauthorised Users Could Have Accessed Private Information of 7,700 People Following ETSU Breach (November 19, 2018)
East Tennessee State University (ETSU) announced that they had suffered a data breach after two unnamed employees clicked on a link in a phishing email that granted the threat actors access to employee information. Approximately 7,700 employees are likely to have had their private information like full names and Social Security Numbers (SSN) accessed. It is believed that the phishing emails purported to be from a supervisor of the employees who ended up clicking the link. The amount of information accessed is currently unclear, as the threat actors could potentially obtain information reaching all the way back to 2013 from the two compromised email accounts. ETSU discovered the breach on October 17, 2018, but only just announced the breach on November 29, 2018.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link (T1192)

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial. Additional information regarding the threats discussed in this week’s Community Threat Briefing can be found below:

The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People's Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121국), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (전자정찰국 사이버전지도국). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.